Millions of Verizon Customer Records Exposed on AWS Server

On Wednesday, Verizon confirmed that personal records of 6 million customers were leaked online due to “human error.”

The leaked information includes customer phone numbers, names, and some PIN codes used to confirm the identity of people who call for customer service.

It was earlier reported that around 14 million client records were ‘made’ publicly available online. Chris Vickery, a researcher at UpGuard, found the exposed data on an unprotected Amazon S3 storage server controlled by an employee of Nice Systems.

Nice Systems building in Ra’anana, Israel | Wikipedia

According to reports, Nice Systems is a Ra’anana, Israel-based company that Verizon is working with to manage its customer service calls. The company is involved in two main enterprise software market: customer engagement and financial crime and compliance including tools that prevent money laundering and fraud.

On June 13, Vickery personally alerted Verizon about the leak. After over a week, on June 22, the leaked data was eventually secured.

Further investigations revealed that the records contain the customer service log files of Verizon customers for the past six months. Each record includes a customer’s name, a cell phone number, and their account PIN – which will enable anyone to access a subscriber account.

There are six folders for each month, from January to June. Each contains several daily log files of what appears to be customer call recordings from different parts of the United States. Every record has fields of additional customer data, from customer home address, email address, the current balance of the account, and other sensitive information like if a subscriber has Verizon federal government account.

Ted W. Lieu | Democratic member of the United States House of Representatives, representing California’s 33rd congressional district since 2015

Democratic Congressman Ted Lieu, also a Verizon client, said that the exposure was ‘highly troubling.’ In a statement sent to ZDNet, the politician stated that he would be asking the Judiciary Committee to hold a hearing on leak issue because the Congress has to find out the scale and scope of what happened and to ensure that it would not happen again.

Dan O’Sullivan, a Cyber Resilience Analyst with UpGuard, is particularly concerned about the exposed pins.

“A scammer could receive a two-factor authentication message and potentially change it or alter the authentication to his liking,” O’Sullivan said. He further added that such action could cut off the access of the real account holders.

The leakage incident apparently happened due to a security measure that was not set up correctly by Nice. Instead of making the security feature private, it was set to public on an Amazon S3 storage server.

Amazon S3 storage server is a technology commonly used by businesses to store records in the cloud. The setup error means that Verizon data stored in the cloud was temporarily visible to anyone who has access to the public link.

Not the First Amazon S3 Storage Leak

This is not the first time that sensitive records were leaked because of a poorly configured Amazon S3 storage unit.

In June, an analytics firm exposed the data of over 200 million U.S. voters, and early this month, an insecure server leaked over 3 million WWE fans’ data. By default, these servers are automatically secured by Amazon. So, the question is, why is this happening?

According to O’Sullivan, such breach in security typically happens when someone makes some changes to the security setting–by accident. The current incident with Verizon only highlights how many third-parties have access to customer information. O’Sullivan further added:

“Cyber risk is a fact of life for any digital service. As data becomes more powerful and more accessible, the potential consequences for it to be misused also becomes more dangerous.”

With the recent cyber attacks, and many a product of human error, are customer records safe at the hands of these allegedly ‘trusted’ companies?

What additional layer of cyber security could be put in place to ensure that all customer information is safe from the prying eyes of cyber criminals?